chore(deps): bump y-websocket from 2.1.0 to 3.0.0#31
Merged
Conversation
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
Member
|
@dependabot rebase |
1 similar comment
Member
|
@dependabot rebase |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/y-websocket-3.0.0
branch
from
1ec9732 to
67e24ec
Compare
Member
|
@dependabot rebase |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/y-websocket-3.0.0
branch
from
67e24ec to
ec8ebc1
Compare
Member
|
@dependabot rebase |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/y-websocket-3.0.0
branch
from
ec8ebc1 to
33d0df9
Compare
Member
|
@dependabot rebase |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/y-websocket-3.0.0
branch
from
33d0df9 to
081c614
Compare
Member
|
@dependabot rebase |
Bumps [y-websocket](https://github.com/yjs/y-websocket) from 2.1.0 to 3.0.0. - [Release notes](https://github.com/yjs/y-websocket/releases) - [Commits](yjs/y-websocket@v2.1.0...v3.0.0) --- updated-dependencies: - dependency-name: y-websocket dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/y-websocket-3.0.0
branch
from
081c614 to
24b9e20
Compare
Musiker15
added a commit
that referenced
this pull request
May 29, 2026
…rd (Phase B/1) Phase B (security substance), part 1 — #27, #30, #31. #27 Per-user exponential login backoff - backoffMs() (1,2,4,8,16,30,60s -> 5-min cap) existed but was dead code. - Add Redis-clocked per-user cool-off helpers to lib/ratelimit (getBackoffRemainingMs / recordBackoff / clearBackoff). - Login arms the cool-off on every failed attempt (wrong password OR wrong second factor), checks it before the password compare, and clears it on success. It is keyed by user id, so it follows a targeted account across rotating IPs (the per-IP window alone is evadable). - RateLimited() can now carry a retryAfterSeconds; apiError() emits a Retry-After header for 429s. #31 Append-only AuditLog + dead audit types - New migration 20260529000000_auditlog_append_only: a single-statement BEFORE DELETE trigger rejects any audit-row deletion (history can't be erased even outside the app). Single statement so Prisma's `;`-splitting migration runner applies it cleanly. UPDATEs stay convention-enforced (the only legitimate one is the GDPR userId->NULL de-association from the onDelete: SetNull FK; a conditional UPDATE trigger would need a BEGIN/END body Prisma can't apply). - Emit TWOFA_VERIFY_TOTP / TWOFA_VERIFY_WEBAUTHN on a verified second factor and RECOVERY_USE when a valid recovery proof unseals the challenge — three previously-dead AuditAction types now reflect reality. Fix the module comment (it claimed a DB check that didn't exist). #30 ReDoS guard - ESLint no-restricted-syntax now bans new RegExp() / RegExp(); regexes must be static literals. The codebase has no dynamic regex today; this keeps it that way (a runtime pattern would need a conscious eslint-disable + safe-regex review). Docs: threat-model.md + CLAUDE.md flipped from "planned" to done for these three; CHANGELOG Security section added. Typecheck, ESLint and the 193-test suite all pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps y-websocket from 2.1.0 to 3.0.0.
Release notes
Sourced from y-websocket's releases.
Commits
76619c33.0.0bdcc05dupdate deps and remove all optional dependenciesc802cc9rip out y-websocket-server6a29fd8transform server to a proper esm module62a9aa1Merge pull request #190 from mythmon/patch-1b7db6f7Fix comment about trailing slashes6460a65Merge pull request #187 from kemo-1/patch-1bce6b28This is the correct path i think